* nf_conntrack_helper=0 module parameter together with nf_nat_ftp module
@ 2014-02-19 20:10 Csordás Csaba Ifj.
0 siblings, 0 replies; only message in thread
From: Csordás Csaba Ifj. @ 2014-02-19 20:10 UTC (permalink / raw)
To: netfilter
Hi List,
When I load nf_conntrack with
modprobe --first-time nf_conntrack nf_conntrack_helper=0
as described in the document "Secure use of iptables and connection
tracking helpers" and use the CT target in the raw table to attach the
ftp helper to specific flows then everything is working when the
corresponding firewalls are either on the client side or on the server
side AND they are directly connected. But, when there is a gateway
between them which is performing SNAT then active ftp works only when
nf_conntrack is loaded without the module parameter mentioned in
$SUBJECT. There is no filtering on the gw. To be more precise the
problem is that the server is considering the client's PORT command as
ILLEGAL, because it contains the client's own IP address. Seems like
that nf_nat_ftp is not triggered in this case.
Is there a way to get it working using -j CT somewhere on the gateway
also? nf_nat_ftp also does not accept the "ports" parameter since
2.6.10. My kernel version is 3.11.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-02-19 20:10 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-19 20:10 nf_conntrack_helper=0 module parameter together with nf_nat_ftp module Csordás Csaba Ifj.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.